Quantum Security of the Combined Feedback Mode

Authenticated Encryption with Associated Data (AEAD) play a critical role in secure communication protocols, offering confidentiality, integrity, and authenticity. However, the advent of quantum computing poses a significant threat to the security of AEADs, including ISO/IEC standards like OCB and GCM, highlighting the need for a thorough evaluation of their quantum resistance. COFB is a lightweight AEAD mode proposed at CHES'17, gaining significant attention due to its excellent performance in both software and hardware implementations. In this paper, we study the post-quantum security of COFB. First, we show COFB is insecure under the qPRF security notion by presenting an attack with a single encryption query. Next, we investigate the IND-qCPA security of COFB. Specifically, we show that if instantiated with a qPRF-secure n-bit block cipher, the IND-qCPA security bound of COFB is roughly (Q^7/4 \cdot \ell^11/4)/2^n/2 + Q\ell/2^n/4, where Q is the number of encryption queries and \ell represents the maximum length (in blocks) of messages in each query. Furthermore, we extend this result to the NIST Lightweight Cryptography (LWC) finalist GIFT-COFB, obtaining its security bound as (Q^7/4 \cdot \ell^11/4) / 2^n/2.